Google Chrome bug allows sites to spy on you by secretly recording audio and video

Google said that it will 'improve the situation' but that it doesn't consider the issue as a security vulnerability.

The bug could potentially be weaponised and used for spying on targetsReuters

A new Google Chrome bug has been uncovered, which reportedly allows websites to record audio and video, without alerting the user or providing any visual indicators. Although the bug requires users to grant it permission to access audio and video features, according to the security researcher who discovered the flaw, it could potentially be weaponised and used for spying on targets.

The bug was reportedly discovered by AOL developer Ran Bar-Zik, who reported the flaw to Google. However, Google said that it doesn't consider the issue to be valid security vulnerability, indicating that there is no quick fix on the way. Bar-Zik told BleepingComputer that he came across the bug at work, when handling a website that ran WebRTC code, which is a protocol that allows real-time audio and video content to streamed over the Internet.

When audio or video is usually recorded on Chrome, a "red circle and dot" generally appears on the tab to indicate that the streaming is live. However, Bar-Zik discovered that the code that allows recording doesn't always need to run on the Chrome tab where the permission was granted. Instead, the bug allowed the researcher the ability to launch a headless Chrome pop-up where he could commence recording audio and video, without the red circle and dot.

Although Google refused to consider this as one security vulnerability, it did agree to find ways to "improve the situation."

Bar-Zik, however, believes that Google's assessment of the flaw may be underestimating the potential threat. The researcher argued that users are likely to click on permissions without properly reading and/or understanding what they are agreeing to and once a user has granted permission, hackers could potentially launch more sophisticated attacks.

"Real attacks will not be very obvious," Bar-Zik said.

Google may be justified in not treating this as security vulnerability, given that the red circle and dot icon is not available in all Chrome versions. Nevertheless, the bug is a loophole, which could be exploited. To stay safe, users must be vigilant when granting permissions to websites.